S 4.362 Secure configuration of Bluetooth

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, User

It is generally recommended to check the configuration preset by the dealer and change it if possible, because such configuration is often insecure:

• Often, Bluetooth devices have many services activated at delivery so that all possibilities of communication with other devices can be used. Services not required should always be disabled. Services only required occasionally should only be activated when they are needed, and should be disabled again immediately afterwards.
• The Bluetooth interfaces of the devices should be disabled if not in use.
• Configuration of Bluetooth devices should be "open" to the minimum extent possible. If possible, the operating modes 'non-discoverable', 'non-connectable' and 'non-pairable' or 'non-bondable' should be set.
• The Bluetooth range should be limited to the intended areas. For this, the transmitting power of Bluetooth devices should be as low as possible; the level should be based on the needs required for the respective function. For example, a notebook should be used with a class 3 Bluetooth device if such device is connected to a mobile phone that is located only a few metres away.
• If possible, preset PINs should be changed immediately.
• PINs should be long and consist of random characters.
• Authentication and encryption should be selected in accordance with the required protection.
• In environments with normal protection requirements, the cryptographic procedures provided by Bluetooth are sufficient, in particular regarding encryption. This also applies when considering the weak points known so far. If the protection requirements are higher, additional measures beyond the capabilities of Bluetooth must be taken.
• For high encryption, the length of the key should be at least 64 bits; only point-to-point encryption must be accepted. The selected length of the key should be as long as possible. As the length of the encryption key cannot be preset by the user, only devices meeting the stated requirements should be used, if possible.

Furthermore, it is recommended to regularly check the Bluetooth devices for hidden services and/or open ports by applying the corresponding tools.

Security patches and/or firmware updates provided by the device manufacturers should be installed after testing and if needed in accordance with the security requirements.

In order to enable secure operation of Bluetooth components, all devices connected to the network must be configured securely. Suitable security recommendations for clients are described in the corresponding modules of layer 3.

Review questions:

• Have all Bluetooth components been configured with sufficient security?
• Have preset PINs been changed, if possible?